In support of our ongoing commitment to information security and transparent operations, the GitLab Security Compliance teams are dedicated to obtaining and maintaining industry recognized security and privacy third party certifications and attestations. The benefits from these activities include:
Generally, the scope of the items listed on this page include GitLab.com, the GitLab.com production environment, and global policies and procedures relied upon for control implementation.
Are you looking for security certifications/attestations for GitLab Dedicated? Please look here.
|Security Compliance||Responsible for external certification gap analysis, external audit hosting and self certification activities|
|Internal Audit||Responsible for executing Internal Audit control tests to determine test of design and test of operating effectiveness of all internal controls as required by audit plan.|
|Security Risk||Responsible for executing Third Party Risk Management (TPRM) risk and security assessments to determine risk associated with third party applications and services, self certification or attestation activities|
|Field Security||Responsible for executing Customer Assurance Activities(CAA) responsible for providing customer assurance with GitLab's security practices and operating procedures, self certification or attestation activities|
The following security certifications and attestations are currently on our roadmap for consideration and have not yet been formally committed or contracted: Year(s): FY23
GitLab's SOC3 report is publicly available and can be found within the
Community Package on our Customer Assurance Package webpage. The nature of some of our other external testing is such that not all reports can be made publicly available. Not only do these reports contain very detailed information about how our systems operate (which could make a potential attack against GitLab easier) but these reports also contain proprietary information about how these audit firms conduct their testing. For these reasons we can only share SOC 2 and Penetration Test reports with prospective customers that are under an NDA with GitLab or with current customers bound by the confidentiality of our customer agreements. The reports should not be shared with anyone other than the individual requestor(s).
GitLab Team Members should follow the Customer Assurance Activities workflow and use the option for "Customer Request".
Current or Prospective customers may request these through their Account Manager, or by using the
Request by Email option on the Customer Assurance Package webpage.